Due to the risks associated with LWAR, a corporate decision has been made to remove the

usage of local admin rights from workstations throughout the organization. However, as
some approved functionality requires elevated permissions, a new solution has been put in
place to manage those use-cases in order to allow continued productivity. We are currently
in the process of building rules/policies in to AppSense Application Manager (ASAM) to
seamlessly manage these functions without any intervention by the user (once they are in
the appropriate global group to allow that activity).

Researching, building, approving, and testing these policies will take more time than has
been allowed to retire LWAR from the environment, so as an interim solution, a general
policy has been created to allow users to self-elevate their privileges as needed. This
solution provides the necessary functionality and security protection being pursued by the
removal of LWAR as it requires manual intervention on behalf of the user, and also enables
auditing capabilities to monitor the usage.

If you have a requirement for elevated permissions, follow the process below:

1. In order for ASAM policies to provide functionality based on the policies that are
created AppSense Application Manager (8.7 or higher) must be installed. This has
already been distributed throughout the environment, but it is not yet a part of the
standard image so there may be some devices that do not have it yet. If an
installation is required, please contact your BSL.

2. To Install AppSense Application Manager, please contact your BSL as below.(This is a

SR request need to be raised from BSL end)

HYD 1 BSL is Raichuri, Sridevi <sridevi_raichuri@optum.com>

HYD 2 BSL is Venkatesh, Sumathi <sumathi_rathnam@optum.com>
Gurgaon : Kanika Taneja(kanika_taneja@optum.com)
Noida :Gaurika Malik (gaurika_malik@optum.com)

Please keep your employee ID and machine name ready to provide to your BSL. And
please contact BSL through mail or communicator. If Appsense Application Manager
needs to install for more people collect all the employee IDs and machine names
respectively and send a mail to BSL asking to raise SR for them.
Once the SR is raised the RCO team will contact you to install ASAM.
And please make sure that your machine has no problem after installation.(Some
times your machine will be restarted automatically, then you should contact the RCO
team and correct it.)

3. Submit a Secure request to request access to the ASAM_SelfElevationTemp group.

(This is secure request need to be raised from our end)
1. Go to Request New Access
2. Select Platform (Next)
3. Select Windows from the list of values
4. Make sure MS is the selected domain (Next)
5. Select your User ID (Next)
6. In the Search groups by group name field, paste: ASAM_SelfElevationTemp
 7. Click Search
8. Select ASAM_SelfElevationTemp : ASAM_SelfElevation Temp users from the list of

Available Groups and click the button to move it in to the Selected Groups
box (Next)
9. Type a detailed description explaining how you use administrative privileges and
what its business justification is

I as developer need local admin access rights for my system to run Microsoft Visual Studio 2012 Premium with MSDN and to
create workspace under c:/.

10.Click Submit

Note: This is only a temporary solution. Eventually the needs of software that require
elevated permissions will be managed by policies that are built for ASAM, and
functionality will be provisioned by requesting specific global groups.

Once approved, all that is required to run something with administrative rights is to:

Right-click on the file/program

Select Run with Administrative Rights (Audited)

Type in an explanation about why the elevation is required

Click Continue, and the file/program will launch

Please make sure that if you have critical business reasons that you use local administrative
rights that those are communicated to the project team by completing this questionnaire.
Provide a detailed description with as many technical details as possible, and make sure to
reference any applications it impacts. This information will be used to assist with the
creation of rules/policies to enable functionality that is blocked without the use of
administrative rights.